Friday, November 12, 2010

To Lock Users To Their Home Directories Only CentOS /RedHat

rssh support chrooting option. If you
want to chroot users, use chrootpath option. It is used to set the
directory where the root of the chroot jail will be located. This is
a security feature.

A chroot on Linux or Unix OS is an
operation that changes the root directory. It affects only the
current process and its children. If your default home directory is
/home/rajat normal user can access files in /etc, /sbin or /bin
directory. This allows an attacker to install programs / backdoor via
your web server in /tmp. chroot allows to restrict file system access
and locks down user to their own directory.

Configuring rssh chroot

=> Chroot directory: /users.

Tip: If possible mount /users
filesystem with the noexec/nosuid option to improve security.

/usr/libexec/rssh_chroot_helper OR
/usr/lib/rssh/rssh_chroot_helper (suid must be set on this binary)

/bin/sh or /bin/bash (default shell)

Tip: Limit the binaries which live in
the jail to the absolute minimum required to improve security.
Usually /bin/bash and /bin/sh is not required but some system may
give out error.

A note about jail file system

Note: The files need to be placed in
the jail directory (such as /users) in directories that mimic their
placement in the root (/) file system. So you need to copy all
required files. For example, /usr/bin/rssh is located on / file
system. If your jail is located at /users, then copy /usr/bin/rssh to
/users/usr/bin/rssh. Following instuctions are tested on:

Open /usres/group and /users/passwd
file and remove root and all other accounts.

Copy required binary files, as
described above to your jail directory /users/bin and other
locations:

# cd /users/usr/bin

# cp /usr/bin/scp .

# cp /usr/bin/rssh .

# cp /usr/bin/sftp .

# cd /users/usr/libexec/openssh/

# cp /usr/libexec/openssh/sftp-server .

OR

# cp /usr/lib/openssh/sftp-server .

# cd /users/usr/libexec/

# cp /usr/libexec/rssh_chroot_helper

OR

# cp /usr/lib/rssh/rssh_chroot_helper

# cd /users/bin/

# cp /bin/sh .

OR

# cp /bin/bash .

Copy all shared library files

The library files that any of these
binary files need can be found by using the ldd / strace command. For
example, running ldd against /usr/bin/sftp provides the following
output:

ldd /usr/bin/sftp

Output:

linux-gate.so.1 =>
(0x00456000)

libresolv.so.2 =>
/lib/libresolv.so.2 (0x0050e000)

libcrypto.so.6 =>
/lib/libcrypto.so.6 (0x0013e000)

libutil.so.1 =>
/lib/libutil.so.1 (0x008ba000)

libz.so.1 =>
/usr/lib/libz.so.1 (0x00110000)

libnsl.so.1 =>
/lib/libnsl.so.1 (0x0080e000)

libcrypt.so.1 =>
/lib/libcrypt.so.1 (0x00a8c000)

libgssapi_krb5.so.2 =>
/usr/lib/libgssapi_krb5.so.2 (0x00656000)

libkrb5.so.3 =>
/usr/lib/libkrb5.so.3 (0x00271000)

libk5crypto.so.3 =>
/usr/lib/libk5crypto.so.3 (0x00304000)

libcom_err.so.2 =>
/lib/libcom_err.so.2 (0x00777000)

libdl.so.2 =>
/lib/libdl.so.2 (0x00123000)

libnss3.so =>
/usr/lib/libnss3.so (0x00569000)

libc.so.6 => /lib/libc.so.6
(0x00b6c000)

libkrb5support.so.0 =>
/usr/lib/libkrb5support.so.0 (0x00127000)

libkeyutils.so.1 =>
/lib/libkeyutils.so.1 (0x00130000)

/lib/ld-linux.so.2 (0x00525000)

libplc4.so =>
/usr/lib/libplc4.so (0x008c9000)

libplds4.so =>
/usr/lib/libplds4.so (0x00133000)

libnspr4.so =>
/usr/lib/libnspr4.so (0x00d04000)

libpthread.so.0 =>
/lib/libpthread.so.0 (0x0032a000)

libselinux.so.1 =>
/lib/libselinux.so.1 (0x00341000)

libsepol.so.1 =>
/lib/libsepol.so.1 (0x00964000)

You need to copy all those libraries to
/lib and other appropriate location. However, I recommend using my
automated script called l2chroot:

# cd /sbin

# wget -O l2chroot
http://www.yeswedeal.biz/files/l2chroot.txt

# chmod +x l2chroot

Open l2chroot and set BASE variable to
point to chroot directory (jail) location:

BASE="/users"

Now copy all shared library files

# l2chroot /usr/bin/scp

# l2chroot /usr/bin/rssh

# l2chroot /usr/bin/sftp

# l2chroot
/usr/libexec/openssh/sftp-server

OR

# l2chroot /usr/lib/openssh/sftp-server

# l2chroot
/usr/libexec/rssh_chroot_helper

OR

# l2chroot
/usr/lib/rssh/rssh_chroot_helper

# l2chroot /bin/sh

OR

# l2chroot /bin/bash

Modify syslogd configuration

The syslog library function works by
writing messages into a FIFO file such as /dev/log. You need to pass
-a /path/to/chroot/dev/log option. Using this argument you can
specify additional sockets from that syslogd has to listen to. This
is needed if you’re going to let some daemon run within a chroot()
environment. You can use up to 19 additional sockets. If your
environment needs even more, you have to increase the symbol MAXFUNIX
within the syslogd.c source file. Open /etc/sysconfig/syslog file:

# vi /etc/sysconfig/syslog

Find line that read as follows:

SYSLOGD_OPTIONS="-m 0"

Append -a /users/dev/log

SYSLOGD_OPTIONS="-m 0 -a
/users/dev/log"

Save and close the file. Restart
syslog:

# /etc/init.d/syslog restart

If you are using Debian / Ubuntu Linux
apply changes to /etc/default/syslogd file.

Set chroot path

Open configuration file /etc/rssh.conf:

# vi /etc/rssh.conf

Set chrootpath to /users

chrootpath=/users

Save and close the file. If sshd is not
running start it:

# /etc/init.d/sshd start

Add user to jail

Now
rssh is installed. Next logical step is configure user to use rssh.
All you have to do is set a user account shell to /usr/bin/rssh. The
following examples adds user bidi to system with /usr/bin/rssh.

Create
a new user with /usr/bin/rssh

Login
as the root user

Type
the following command to create a new user called bidi:#
useradd -m -d /home/bidi -s /usr/bin/rssh bidi# passwd bidi

Change
existing user shell to /usr/bin/rssh

You
don't have to edit /etc/passwd file to change your shell. You need to
use chsh
command.
It changes the user login shell. This determines the name of the
users initial login command. A normal user may only change the login
shell for his/her own account, the super user i.e. root user may
change the login shell for any account. Following is syntax of chsh
command:chsh
-s {shell-name} {user-name}

By
default rssh configuration locks down everything including any sort
of access.

Grant
access to sftp and scp for all users

The
default action for rssh to lock down everything. To grant access to
scp or sftp open /etc/rssh.conf file:#
vi /etc/rssh.confAppend
or uncomment following two linesallowscpallowsftpSave
and close the file. rssh reads configuration file on fly (there is no
rssh service exists). Now user should able to run scp and sftp
commands, but no shell access is granted:#
scp /path/to/file bidi@my.backup.server.com:/.OR#
sftp bidi@my.backup.server.com:/.Output: